CVE-2024-28960 : An issue was discovered in Mbed TLS 2.18.0 through 2.28.x before 2.28.8 and 3.x

An issue was discovered in Mbed TLS 2.18.0 through 2.28.x before 2.28.8 and 3.x before 3.6.0, and Mbed Crypto. The PSA Crypto API mishandles shared memory.

Published 2024-03-29 00:00:00

Updated 2024-07-03 01:51:58

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2024-28960

Please log in to view affected product information.

Exploit prediction scoring system (EPSS) score for CVE-2024-28960

EPSS FAQ

0.05%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 17 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2024-28960

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
8.2	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N	3.9	4.2	134c704f-9b21-4f2e-91b3-4a467353bcc0	2024-07-03
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: Low Availability: None
5.3	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L	N/A	N/A	RedHat-CVE-2024-28960	2024-03-29
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: Low Availability: Low

CWE ids for CVE-2024-28960

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Assigned by: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

References for CVE-2024-28960

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5YE3QRREGJC6K34JD4LZ5P3IALNX4QYY/

[SECURITY] Fedora 40 Update: mbedtls-2.28.8-1.fc40 - package-announce - Fedora Mailing-Lists
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NCDU52ZDA7TX3HC5JCU6ZZIJQOPTNBK6/

[SECURITY] Fedora 39 Update: mbedtls-2.28.8-1.fc39 - package-announce - Fedora Mailing-Lists
https://mbed-tls.readthedocs.io/en/latest/tech-updates/security-advisories/

Tech Updates / Security Advisories — Mbed TLS documentation

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6UZNBMKYEV2J5DI7R4BQGL472V7X3WJY/

[SECURITY] Fedora 38 Update: mbedtls-2.28.8-1.fc38 - package-announce - Fedora Mailing-Lists
https://github.com/Mbed-TLS/mbedtls-docs/blob/main/security-advisories/mbedtls-security-advisory-2024-03.md

mbedtls-docs/security-advisories/mbedtls-security-advisory-2024-03.md at main · Mbed-TLS/mbedtls-docs · GitHub

Jump to

Vulnerability Details : CVE-2024-28960

Products affected by CVE-2024-28960

Exploit prediction scoring system (EPSS) score for CVE-2024-28960

CVSS scores for CVE-2024-28960

CWE ids for CVE-2024-28960

References for CVE-2024-28960